From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH v2] force transport encryption for WebUI logins Date: Sun, 24 Sep 2017 22:23:55 +0100 Message-ID: <1506288235.2813.1.camel@ipfire.org> In-Reply-To: <20170924221522.761c0436.peter.mueller@link38.eu> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2049537063243491451==" List-Id: --===============2049537063243491451== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable On Sun, 2017-09-24 at 22:15 +0200, Peter M=C3=BCller wrote: > Hello Michael, >=20 > > Hi, > >=20 > > good testing guys. >=20 > Thanks. > >=20 > > I think the patch looks fine, but I think while we are at it, we should a= lso > > clean up the vhost configuration files. They are messy. Really really mes= sy. >=20 > Yes, indeed. > >=20 > > There is sections for the dial user which never existed in IPFire. There = is also > > directory directives for the dial user. These can all be removed I think. > >=20 > > I have no idea what is using that access to the graphs directories. I thi= nk that > > can also be removed. > >=20 > > Then we have multiple CGI files that redirect to SSL themselves. I think = we can > > let Apache do that, if that isn't even caught automatically by redirecting > > everything that isn't the update cache or proxy.pac to SSL. > >=20 > > Anyone wants to work on this? >=20 > I can have a look at the vhost config files within this week. The CGIs are = perhaps > too difficult for me, since I am not familiar with Perl at the moment. >=20 > Does this make the patch sent in obsolete/should I work on top of it? Please work on top of it. I will merge this shortly. Best, -Michael >=20 > Best regards, > Peter M=C3=BCller > >=20 > > -Michael > >=20 > > On Sun, 2017-09-24 at 13:04 +0200, Peter M=C3=BCller wrote: > > > Hello Matthias, > > >=20 > > > thanks for testing. Please see my comments below... > > > =20 > > > > Hi Peter, > > > >=20 > > > > I did the following: > > > >=20 > > > > Stopped Apache on my testmachine (192.168.100.251), patched files, > > > > started apache, accesses made with FF 55.0.3. > > > >=20 > > > > 1. Accessing "http://192.168.100.251:444": > > > >=20 > > > > "Bad Request > > > >=20 > > > > Your browser sent a request that this server could not understand. > > > > Reason: You're speaking plain HTTP to an SSL-enabled server port. > > > > Instead use the HTTPS scheme to access this URL, please. > > > > Apache Server at ipfiretest.localdomain Port 444" =20 > > >=20 > > > That is normal and also appears without my patch. =20 > > > >=20 > > > > 2. Accessing "https://192.168.100.251:444" > > > >=20 > > > > "Authentication Required...https://192.168.100.251:444 is requesting > > > > your username and password. The site says: =E2=80=9CIPFire - Restrict= ed=E2=80=9D" =20 > > > > =3D> username / password =20 > > >=20 > > > This is normal, too. =20 > > > >=20 > > > > 3. Browser-Restart, reopening page, same result as 2., "Authentication > > > > Required..." =20 > > >=20 > > > OK. =20 > > > >=20 > > > > 4. Accessing "http://192.168.100.251:81": > > > >=20 > > > > "Authentication Required...https://192.168.100.251:444 is requesting > > > > your username and password. The site says: =E2=80=9CIPFire - Restrict= ed=E2=80=9D" =20 > > > > =3D> username / password =20 > > >=20 > > > Yep, here is the change: The browser is being redirected to the secure > > > version. =20 > > > >=20 > > > > 5. Accessing "https://192.168.100.251:81": > > > >=20 > > > > "Secure Connection Failed > > > >=20 > > > > An error occurred during a connection to 192.168.100.251:81. SSL > > > > received a record that exceeded the maximum permissible length. Error > > > > code: SSL_ERROR_RX_RECORD_TOO_LONG" =20 > > >=20 > > > This is because there is no SSL engine running on port 81. Apache > > > returns a "Bad Request" answer, which is surprisingly not understood > > > by the browser. =20 > > > >=20 > > > > Any anything else I could do? =20 > > >=20 > > > Not directly. > > >=20 > > > It would be nice if anybody who uses "chpasswd.cgi" and "webaccess.cgi" > > > (perhaps in a school's network) could test this patch too, since these > > > CGIs are not accessible via plaintext anymore. > > >=20 > > > Both are not working here. "webaccess.cgi" redirects to SSL itself and > > > says "disabled by administrator", while "chpasswd.cgi" just returns > > > a 500 "Internal Server Error". Interesting. > > >=20 > > > But since that is a special use case, I assume the patch works fine. > > >=20 > > > Best regards and thanks again, > > > Peter M=C3=BCller =20 > > > >=20 > > > > Best, > > > > Matthias > > > >=20 > > > > On 24.09.2017 09:06, Peter M=C3=BCller wrote: =20 > > > > > Force the usage of SSL when accessing protected locations. > > > > >=20 > > > > > Queries to the plain text interface on port 81 will be answered > > > > > with a 301 ("Moved permanently") status. > > > > >=20 > > > > > All authentication directives on port 81 are disabled to prevent > > > > > data leakage. > > > > >=20 > > > > > Signed-off-by: Peter M=C3=BCller > > > > > --- > > > > > diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf > > > > > b/config/httpd/vhosts.d/ipfire-interface-ssl.conf > > > > > index 6f353962e..bec0d580b 100644 > > > > > --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf > > > > > +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf > > > > > @@ -23,7 +23,10 @@ > > > > > AuthName "IPFire - Restricted" > > > > > AuthType Basic > > > > > AuthUserFile /var/ipfire/auth/users > > > > > - Require user admin > > > > > + > > > > > + Require user admin > > > > > + Require ssl > > > > > + > > > > > > > > > > ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/ > > > > > > > > > > @@ -32,7 +35,10 @@ > > > > > AuthName "IPFire - Restricted" > > > > > AuthType Basic > > > > > AuthUserFile /var/ipfire/auth/users > > > > > - Require user admin > > > > > + > > > > > + Require user admin > > > > > + Require ssl > > > > > + > > > > > > > > > > Require all granted > > > > > > > > > > @@ -40,7 +46,10 @@ > > > > > Require all granted > > > > > > > > > > > > > > > - Require user admin > > > > > + > > > > > + Require user admin > > > > > + Require ssl > > > > > + > > > > > > > > > > > > > > > > > > > > @@ -49,7 +58,10 @@ > > > > > AuthName "IPFire - Restricted" > > > > > AuthType Basic > > > > > AuthUserFile /var/ipfire/auth/users > > > > > - Require user dial admin > > > > > + > > > > > + Require user dial admin > > > > > + Require ssl > > > > > + > > > > > > > > > > > > > > > SSLOptions +StdEnvVars > > > > > @@ -85,6 +97,9 @@ > > > > > AuthName "IPFire - Restricted" > > > > > AuthType Basic > > > > > AuthUserFile /var/ipfire/auth/users > > > > > - Require user admin > > > > > + > > > > > + Require user admin > > > > > + Require ssl > > > > > + > > > > > > > > > > > > > > > diff --git a/config/httpd/vhosts.d/ipfire-interface.conf > > > > > b/config/httpd/vhosts.d/ipfire-interface.conf > > > > > index 619f90fcc..a0537b392 100644 > > > > > --- a/config/httpd/vhosts.d/ipfire-interface.conf > > > > > +++ b/config/httpd/vhosts.d/ipfire-interface.conf > > > > > @@ -12,36 +12,25 @@ > > > > > Require all granted > > > > > > > > > > > > > > > - AuthName "IPFire - Restricted" > > > > > - AuthType Basic > > > > > - AuthUserFile /var/ipfire/auth/users > > > > > - Require user admin > > > > > + Options SymLinksIfOwnerMatch > > > > > + RewriteEngine on > > > > > + RewriteCond %{HTTPS} off > > > > > + RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=3D301,L] > > > > > > > > > > ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/ > > > > > > > > > > AllowOverride None > > > > > - Options None > > > > > - AuthName "IPFire - Restricted" > > > > > - AuthType Basic > > > > > - AuthUserFile /var/ipfire/auth/users > > > > > - Require user admin > > > > > - > > > > > - Require all granted > > > > > - > > > > > - > > > > > - Require all granted > > > > > - > > > > > - > > > > > - Require user admin > > > > > - > > > > > + Options SymLinksIfOwnerMatch > > > > > + RewriteEngine on > > > > > + RewriteCond %{HTTPS} off > > > > > + RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=3D301,L] > > > > > > > > > > > > > > > AllowOverride None > > > > > - Options None > > > > > - AuthName "IPFire - Restricted" > > > > > - AuthType Basic > > > > > - AuthUserFile /var/ipfire/auth/users > > > > > - Require user dial admin > > > > > + Options SymLinksIfOwnerMatch > > > > > + RewriteEngine on > > > > > + RewriteCond %{HTTPS} off > > > > > + RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=3D301,L] > > > > > > > > > > Alias /updatecache/ /var/updatecache/ > > > > > > > > > > =20 > > >=20 > > > =20 >=20 >=20 --===============2049537063243491451== Content-Type: application/pgp-signature Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="signature.asc" MIME-Version: 1.0 LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KCmlRSXpCQUFCQ2dBZEZpRUU1L3JXNWwzR0dl Mnlwa3R4Z0hudy8yK1FDUWNGQWxuSUltc0FDZ2tRZ0hudy8yK1EKQ1FjeXB3LytKWkhNaEttc2JV YXhaT1gwOUFMMnJHN1RKOGp2Z1dzQW9aVnoxbVZWQTRHdFRDQi9LdWNodW5vTwpwY0xqUXY1TTAz WHpWZWdEUEJ6R1FJRzEwN3ZUVU1Vd1k1MkZqZENlSVhmUzRVZFQvdkpFOHFoejg2K2FyK0pGClY2 cWVtcWFxWktmc0lOcmRWMEp0Kzk5ZDRoczJ2WkVHT09vU3RjeGtqaS9hTGp1Wnd5MU93a3RZL2NE VlR1NnAKRUJUa2JycWM0ZG54Vk5HVmlwNUVudmh4c1lTbW5obmJweXpuU3IzQUNOWDFIMmJ5dS9w WHhDQ1RDUFk0Wk0vRwpya2ZqY1U1cXFseExhV1VHRk5ZbGIxMEViRkl4RCtlblZnaDdjdG9MNklz cHFzSkkxRWJvbXF2VW0ra0U1MXRmCjVRdWYzNWExeUdTNWlBTENoRHprVVJwbXhOT0NhZFUxZ3Ew ZlkyekZreEZoYUpQSDlxcGZwTnBUWmh0alhKSTQKeTV0ZFFFOFNnZXR6VUNTVDRaZ2N1UTg3THJM ZUM2T1VUQVhZb25sMG0xK2RaN0xYei94ajh4WmVmcXd2VEc0bQpScFpWLy9iRmwrUU0raWtPd3dC VEZJRjVTeURUYWhiSHpkTUdNaXMrVkxEYTR3VVpNaXBqSnNsb2VNOXBYVlhmCmtXTFhZOVNCOG5Y K2tjcmlJTGtYNjd4STJJVS9YU2tvTEtXYUhxZkhUajFGaXJTT3g1NTVYOHpnaGVOK25aZVgKeWhF eFNFU0xtUHhDaEtRZVhwWGswWVA2anBESmZPakNFTlI4Wkkzd1pyMGtmSnN0R1lvQXFYMWc0Mi92 cDNuUApyNG5qczNPaWhZbS9tMjdhMExnOUxObzBabkg3YVZJRUp5OEkwTUI3S2hrTHU1YWJiNWs9 Cj1nSGlQCi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQo= --===============2049537063243491451==--